[Developer]

Originally posted by CharlesS:
Unless you delete the file I pointed to earlier in this thread, which I recommend everyone to do!

CharlesS, this has nothing to do with the OpnApp.scpt

Deleting the OpnApp.scpt does NOT protect you from this vulnerability!

Neither does it help to modify the OpnApp.scpt or to delete the MacHelp.help as lixlpixel suggests.
HelpViewer will execute any script that it is told to execute in the URL. If the URL is known and fixed this can be exploited. And the URL of a script on a mounted volume is known.

The following link will open the "Current Date & Time.scpt" for example without the use of the OpenApp.scpt

help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt

[AsiaWrite]

This whole discussion is moot if the user has software like Norton AV that "scans on mount" enabled (which is turned on by default.

[mitchell_pgh]

Yah, this stuff really makes me nervous...

I think apple needs to look in to all of his and set the default to a very secure standard.

At the same time, There must be a way to make it easy for a person to download programs.

I wonder if this could be the new application installer offered by Apple.
Apple could "guarantee" specific programs.

Think iTunes like button for "safe" downloads directly from apple "guaranteed" virus/trojan free?!

[lixlpixel]

there is a very positive approach on macnyt.dk/forum/?page=thread&topic=10846340014639601

there is a guy named Jens Jakob Jensen from Denmark who has built exactly such a setup but which will FIX the helpviewer. kind of selfhealing happening here ...

looks like there are always two sides of a medal.

[mitchell_pgh]

Originally posted by lixlpixel:
there is a very positive approach on http://macnyt.dk/forum/?page=thread&...46340014639601

there is a guy named Jens Jakob Jensen from Denmark who has built exactly such a setup but which will FIX the helpviewer. kind of selfhealing happening here ...

looks like there are always two sides on a medal .

I think you mean, "there are two sides to every coin (or story)"

[Developer]

Originally posted by lixlpixel:
there is a guy named Jens Jakob Jensen from Denmark who has built exactly such a setup but which will FIX the helpviewer. kind of selfhealing happening here ...

I'm not clicking it since I don't know what it does. But since it is called "OpnApp fixer" then note that the vulnerability does work without OpnApp.scpt. See my post above.

[lixlpixel]

don't worry - i wouldn't post this if i hadn't looked at the code.

but of course it doesn't start right away, he'll give you the choice if you want one-click-does-it-all or classic with download and co...


and that it doesn't get rid of the problem itself is pretty clear.

but it's not HIS job to fix this.

i just found it worth mentioning, because it demonstrates why someone might have once thought it would be nice to implement.

i mean, imagine a world where these features could be in the software WITHOUT someone thinking of destruction.

after all it's still Macintosh - and remember - you need an Apple to make the .dmg and / or an Applescript.

and i strongly believe that no Mac-user would deliberatly harm another Mac-user just like this ( i hope) - this would be different if this would affect Windows PCs ...

[zen jihad]

Originally posted by AsiaWrite:
This whole discussion is moot if the user has software like Norton AV that "scans on mount" enabled (which is turned on by default.

That's the problem, most don't. Most users probably won't even know about this new problem, and their computers are setup with the basic defaults. Apple needs to address this, then there's the better chance people will be covered.

[Developer]

Originally posted by lixlpixel:
and that it doesn't get rid of the problem itself is pretty clear.

but it's not HIS job to fix this.

Good, but his script messes with the OpnApp.scpt. The OpnApp.scpt is not required for this vulnerability. Paste the following into the address bar:

help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt

It will launch the Current Data & Time script wihout the help of OpnApp.scpt. Instead of the Date & Time script this could be a script on the disk image. So messing with OpnApp.scpt does you nothing good. I suggest you do not do this.

[Developer]

Summary:

� Deleting or modifying the OpnApp.scpt doesn't protect from this vulnerability
� Deleting the MacHelp.help doesn't protect from this vulnerability
� Deleting the help protocol with MisFox doesn't protect from this vulnerability
� Changing the help protocol to something else than Help Viewer (I use Chess) seems to help

I suggest you download MisFox and change the application for the help protocal from Help Viewer to something else.

Get MisFox here:

http://www.clauss-net.de/misfox/misfox.html

and click the Protocol Helpers tab.

[lixlpixel]

you posted this several hours ago and it already didn't work then - want to know why ?

because i disabled the help application 3 months ago .

and yes - i CAN read...

[JLL]

Originally posted by lixlpixel:
do you really believe i would make that public without telling Apple ?

I LOVE APPLE

i can't sleep since i did it - i only did it because of so many "new" (more or less serious) exploits for the Mac surfaced.

(and because Apple didn't respond on my bug report for over two months)

Excuse me, but you sent a BUG REPORT??? That bug report is probably buried deep in some developer's to do list and haven't been read by the right people yet.

Contact Apple directly at [email protected]

NOW!!!!

Next time someone feels they have to make a security hole public because Apple didn't respond to your e-mail, bug report or something like that, please read this page first:

http://www.info.apple.com/usen/security/index.html

[lixlpixel]

wrong - i'm a webmaster - and webmasters just love to keep logs you must know...

and someone@apple was exactly 5 hours after the bug report on the site.

and again the day after - and so on ...

[JLL]

Originally posted by lixlpixel:
wrong - i'm a webmaster - and webmasters just love to keep logs you must know...

and someone@apple was exactly 5 hours after the bug report on the site.

and again the day after - and so on ...

So you're leaning back saying "Someone at Apple has seen this - I'm certainly not going to mail Apple at at [email protected]. The Apple guy can do that" ??

Just contact the right people!

[Groovy]

Originally posted by lixlpixel:
you posted this several hours ago and it already didn't work then - want to know why ?

because i disabled the help application 3 months ago .

and yes - i CAN read...

but it is just the help app? Maybe other apps can be used as well.

[lixlpixel]

well - if the category security under http://developer.apple.com/bugreporter/index.html is NOT the right place to tell this to Apple , then you might be right.

[mcalmus]

This vulnerability is obviously an operating system level bug since it seems to affect most (all?) web browsers. I was able to execute the test cases within Mozilla and have filed a security report with them in case Apple is slow at fixing it.

[Groovy]

Originally posted by mcalmus:
This vulnerability is obviously an operating system level bug since it seems to affect most (all?) web browsers. I was able to execute the test cases within Mozilla and have filed a security report with them in case Apple is slow at fixing it.

interesting.


I wonder if there are any other protocols that could be used.

We know "help:" works


but what about all the others?

[JLL]

Originally posted by lixlpixel:
well - if the category security under http://developer.apple.com/bugreporter/index.html is NOT the right place to tell this to Apple , then you might be right.

You're a stubborn little guy aren't you? Just send the mail.

[lixlpixel]

i have - this morning . (sent an email)

and yesterday i wrote already
and last tuesday another ...



look - i gain nothing but bad karma from this anyway, so i didn't do this for fun, but because i have a lot of friends who don't mind if things get downloaded and mounted and aktivated around them - because they trust ( like me) in apple - and then they wonder why some files are missing.

and i simlpy didn't want to wait until someone makes a bad surprise out of that.

[theolein]

Originally posted by JLL:
Excuse me, but you sent a BUG REPORT??? That bug report is probably buried deep in some developer's to do list and haven't been read by the right people yet.

Contact Apple directly at [email protected]

NOW!!!!

Next time someone feels they have to make a security hole public because Apple didn't respond to your e-mail, bug report or something like that, please read this page first:

http://www.info.apple.com/usen/security/index.html

HEY, WHO the fu�k asked you to be Apple's Nazi? Get off his case already, don't kill the messanger.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and the mailing list below.

For the protection of their customers, my arse. Bloody chickens can't even be honest here, of all places.

In any case, we'll see how long it takes Apple to move their fat arses after Slashdot gets on their case.

[Person Man]

Originally posted by theolein:
For the protection of their customers, my arse. Bloody chickens can't even be honest here, of all places.

This is standard operating procedure for most companies whenever a security bug is found. Let them do their job, properly.

[theolein]

Originally posted by Person Man:
This is standard operating procedure for most companies whenever a security bug is found. Let them do their job, properly.

Bullsh�t, if they would do their job properly we wouldn't be discussing this right now.

[Person Man]

Originally posted by theolein:
Bullsh�t, if they would do their job properly we wouldn't be discussing this right now.

Would you rather have a *proper* fix done right and released in a week's (or longer) time, or a half-assed job done quickly right now that isn't properly tested that may have the potential to break huge parts of the operating system (or worse, introduce an even BIGGER security hole)?

[theolein]

Originally posted by Person Man:
Would you rather have a *proper* fix done right and released in a week's time, or a half-assed job done quickly right now that isn't properly tested that may have the potential to break huge parts of the operating system (or worse, introduce an even BIGGER security hole)?

Believe me, and I'm not alone here, I have a difficult time imagining a larger or more dangerous hole than this one. Running rm -rf / as root comes to mind, though

[Person Man]

Originally posted by theolein:
Believe me, and I'm not alone here, I have a difficult time imagining a larger or more dangerous hole than this one. Running rm -rf / as root comes to mind, though

I know. I'm not trying to minimize the danger. If you look, though, Apple is usually (key word) pretty quick about quickly fixing legitimate security holes (and this one is pretty darn legitimate, if you ask me).

The trojans that Intego has gone apesh*t over aren't legitimate security "holes" and as such there is not much one can do to prevent that sort of thing (without making increasingly elaborate hoops for the user to jump through as the trojan writers find a way to socially engineer their way around them).

But, Apple should also be able to fix this hole properly without breaking the useful functionality of being able to automate things from the help system (via AppleScript) for inexperienced users and without breaking other applications' ability to launch the help viewer using the "help://" URL system. (Like say, control-clicking on a button in a program could open the help page explaining what that control does, for example... easy to program in this way).

Again, Apple has traditionally been fairly responsive in fixing legitimate security holes in the past and I have no reason to believe that they will not act in a timely fashion in this case either. (EDIT: Well, if it was reported to them in February, then they do need to do something now).

In any case, jumping up and down and using little copyright symbols to get around the profanity filters in these forums is going to do absolutely NOTHING to fix the problem. Which should have been fixed *yesterday*.

[Tijer]

Originally posted by theolein:
Believe me, and I'm not alone here, I have a difficult time imagining a larger or more dangerous hole than this one. Running rm -rf / as root comes to mind, though

Yeah, this is crazy. I never thought Apple would be so stupid. This is extremely sad and ruins a perfect argument for choosing OS X over Windows.

But what's up with the disk:// thing? I don't see it being run automatically when I press the link? Wasn't it supposed to do that if it's an exploit?

Greets,
Tijer

[Person Man]

Originally posted by Tijer:
Yeah, this is crazy. I never thought Apple would be so stupid. This is extremely sad and ruins a perfect argument for choosing OS X over Windows.

Nobody said the OS was perfect. EVERY operating system has security holes. Apple is no more immune than the rest of them. That doesn't mean they are stupid.

This is nothing more than a design oversight that became a huge security hole. When they designed the help system (read my post above to see why it's designed the way it is), and the ability to automatically mount a disk image from the browser, they probably never even thought about the fact that someone might combine those two things with a browser refresh command to do bad things. Each piece of the exploit was probably developed separately, too.

Before 9/11, *most people* (key words) probably *never* thought that terrorists would hijack planes and crash them into the World Trade Center, Pentagon (and potentially even the White House or Capitol Building).

Same thing here. People make mistakes, and even when you're being more security-conscious from the beginning (like Apple generally does), you are *never* going to eliminate the possibility that any new feature that you introduce, no matter how benign it may be by itself, could be combined with another, equally benign feature by itself, to produce a serious security threat.

To suggest that Apple is immune from these things (as your statement "perfect argument" suggests) is ludicrous.

[Person Man]

Originally posted by Tijer:
But what's up with the disk:// thing? I don't see it being run automatically when I press the link? Wasn't it supposed to do that if it's an exploit?

The disk:// thing by itself won't cause the problem. You have to combine three separate things to have the full hole.

One: a disk image with the malicious code on it. (get the user to download it)
Two: issue a meta-refresh of the page after the image is downloaded (should be able to be accomplished with the right URL)
Three: as part of the refresh of the page, the <help:// ... run script (known path to malicious code on image)> command executes the malicious code on the image).

Three pieces of functionality that, by themselves, don't present anyhwere near as much of a threat as the three of them combined together.

[theolein]

Originally posted by Tijer:
Yeah, this is crazy. I never thought Apple would be so stupid. This is extremely sad and ruins a perfect argument for choosing OS X over Windows.

But what's up with the disk:// thing? I don't see it being run automatically when I press the link? Wasn't it supposed to do that if it's an exploit?

Greets,
Tijer

That's becasue my server is slashdotted or something, if you mean the link I posted.

[Tijer]

Originally posted by theolein:
That's becasue my server is slashdotted or something, if you mean the link I posted.

No no, it's working fine and mounting and everything. But nothing happens until I press the Applescript. Now that isn't really an exploit is it?

[theolein]

Originally posted by Person Man:
I know. I'm not trying to minimize the danger. If you look, though, Apple is usually (key word) pretty quick about quickly fixing legitimate security holes (and this one is pretty darn legitimate, if you ask me).

The trojans that Intego has gone apesh*t over aren't legitimate security "holes" and as such there is not much one can do to prevent that sort of thing (without making increasingly elaborate hoops for the user to jump through as the trojan writers find a way to socially engineer their way around them).

But, Apple should be also be able to fix this hole properly without breaking the useful functionality of being able to automate things from the help system (via AppleScript) for inexperienced users and without breaking other applications' ability to launch the help viewer using the "help://" URL system. (Like say, control-clicking on a button in a program could open the help page explaining what that control does, for example... easy to program in this way).

Again, Apple has traditionally been fairly responsive in fixing legitimate security holes in the past and I have no reason to believe that they will not act in a timely fashion in this case either.

In any case, jumping up and down and using little copyright symbols to get around the profanity filters in these forums is going to do absolutely NOTHING to fix the problem. Which should have been fixed *yesterday*.

Fu�k that. If you think that being PC is going to resolve this any quicker, then you're welcome. A story on slashdot, on the other hand, is sure to put a little fire under Apple's overweight arse.

I don't care if Apple has traditionally been better. I pay Apple for their hardware and software, not the other way around. When they pay me to be polite and shut up, then I will, not before.

I will never understand the zealotry that goes on on this platform.

[Developer]

Originally posted by Tijer:
No no, it's working fine and mounting and everything. But nothing happens until I press the Applescript. Now that isn't really an exploit is it?

Imagine an image gallery with "Next" image links. Silently mount the disk image in the background. The 3rd or so "Next" link is to the Help Viewer URL. How many people would notice before clicking the link? Could be a lot of deleted home folders.

Originally posted by theolein:
A story on slashdot, on the other hand, is sure to put a little fire under Apple's overweight arse.

The heise article should take care of that already.

[theolein]

Originally posted by Tijer:
No no, it's working fine and mounting and everything. But nothing happens until I press the Applescript. Now that isn't really an exploit is it?

It is. Think for a second: A malicious scriptkiddy posts a page on a site that has a Meta refresh tag with a disk;// url in it that automatically mounts a disk image in the background. That disk image always mounts under /Volumes, i.e. the path is known. On that disk image is an Applescript with a simple command in it: do shellscript="rm -rf ~/*". Now on the same webpage that automounted the diskimage in the background, there is a link that says, say, "Click here for naked Asian chicks" or something. The link however, is a url of the type help:runscript=/Volumes/TheDiskImage/TheAppleScript.scpt and once you click it, all your user data is gone, for good.

It is a vulnerability, and a serious one too.

[Tijer]

Originally posted by theolein:
It is. Think for a second: A malicious scriptkiddy posts a page on a site that has a Meta refresh tag with a disk;// url in it that automatically mounts a disk image in the background. That disk image always mounts under /Volumes, i.e. the path is known. On that disk image is an Applescript with a simple command in it: do shellscript="rm -rf ~/*". Now on the same webpage that automounted the diskimage in the background, there is a link that says, say, "Click here for naked Asian chicks" or something. The link however, is a url of the type help:runscript=/Volumes/TheDiskImage/TheAppleScript.scpt and once you click it, all your user data is gone, for good.

It is a vulnerability, and a serious one too.

I see your point. I thought we were talking about two different types of vuln. so solving the help:runscript thing would solve the other.

For now I will go with altering the help: url to Chess, but I will be sad if apple does not have a fix within 2-3 days. This _is_ serious. I agree on that (as mentioned in my previous post).

[Person Man]

Originally posted by theolein:

I will never understand the zealotry that goes on on this platform.

I'm not trying to be a zealot. I, like you, think that the problem needs to be fixed, and it needs to be fixed very quickly. But jumping up and down isn't going to solve anything in the end (and you'll just be out of energy in the end).

The only thing that the media exposure *may* do, is increase the possiblility of a half-assed attempt at a fix. Or, Apple could just address the hype by saying they're aware of the problem and are working on a fix and be patient, because it's coming.

Now, please explain to me how that makes me a "zealot."

[CharlesS]

Originally posted by Developer:
CharlesS, this has nothing to do with the OpnApp.scpt

Deleting the OpnApp.scpt does NOT protect you from this vulnerability!

Neither does it help to modify the OpnApp.scpt or to delete the MacHelp.help as lixlpixel suggests.
HelpViewer will execute any script that it is told to execute in the URL. If the URL is known and fixed this can be exploited. And the URL of a script on a mounted volume is known.

The following link will open the "Current Date & Time.scpt" for example without the use of the OpenApp.scpt

help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt

My God, you're right. It just gets worse and worse. I can't believe this thing is able to execute any script anywhere on the system, without it even being in the /Library/Documentation/Help folder!

You're right, the thing to do is to change the help: protocol to point to Chess using More Internet (by Diggory Laycock, on the boards - his signature has the link). I'm not sure why deleting the protocol didn't work, but changing it certainly has.

[Stradlater]

Originally posted by theolein:
Damn straight there, Spliff. More sh�t like this from Apple and my next machine will be a PC.

[zen jihad]

It's funny being a cross-platform user. You get to see people kick the cr@p out of MS for actually patching a vulnerability before a virus takes hold. Then to see Apple do nothing about theirs, and some people appluading them for being such visionaries.

[Person Man]

Most of my whole argument rendered moot upon a little more checking. Sorry.